![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 57.00000000000001%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Azure Web Application Firewall
An Azure service that provides protection for web apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hi Nang Shwe Yea Oo,
Thank you for your question on the Microsoft Q&A portal.
We understand you are planning to upgrade from WAF V1 to WAF V2 and want to ensure a smooth transition in line with Microsoft's TLS 1.2 enforcement deadline on August 31. You're also seeking clarity on how to handle TLS 1.0/1.1 traffic, upgrade timing, and any risks involved in the process.
Below are detailed answers to your concerns:
1.What happens if TLS 1.0/1.1 connections are still in use after 31 August?
- Microsoft will enforce TLS 1.2 or higher for Azure services including WAF.
- Connections using TLS 1.0 or 1.1 will be blocked or dropped, so it is essential to prepare your clients and backends to support TLS 1.2 or newer.
2.Can you upgrade the WAF after the deadline if the TLS 1.2 transition is not complete?
- Yes, you can still upgrade the WAF from V1 to V2 after the deadline.
- However, connections using TLS versions below 1.2 will not be allowed once enforcement is active, so clients must comply to connect successfully.
3.Will services resume normal operation after upgrading to WAF V2 with TLS 1.2 enabled post-deadline?
- After upgrading and enabling TLS 1.2 support, services will function normally as long as clients use supported TLS versions.
- No additional remediation steps are usually required beyond ensuring TLS compliance.
4.Known issues or risks migrating WAF V1 → V2 related to TLS 1.2 enforcement:
- WAF V2 supports autoscaling, zone redundancy, and improved throughput. Migration requires planning but does not intrinsically cause TLS issues.
- Ensure backend pools and clients are all compatible with TLS 1.2 to avoid connection failures.
- Review custom WAF rules as rule behavior could vary slightly between V1 and V2.
Recommended migration steps:
- Plan and start migration early to avoid last-minute issues.
- Use the Azure PowerShell migration script specifically built to copy configuration from WAF V1 to WAF V2:
https://free.blessedness.top/en-us/azure/application-gateway/migrate-v1-v2 - Validate the new WAF V2 configuration in a test environment before cutover.
- Perform DNS update or Traffic Manager based traffic shift as described in the migration documentation for smooth cutover.
- Monitor logs and alerts closely post-migration for any TLS or WAF rule related errors.
Useful Documents:
- Upgrade Azure Application Gateway and Web Application Firewall from V1 to V2:
https://free.blessedness.top/en-us/azure/application-gateway/migrate-v1-v2 - Azure Web Application Firewall overview:
https://free.blessedness.top/en-us/azure/web-application-firewall/ag/ag-overview - TLS 1.0 and 1.1 Retirement on Azure Application Gateway: https://free.blessedness.top/en-us/azure/application-gateway/application-gateway-tls-version-retirement
To comply with Microsoft's TLS 1.2 enforcement deadline, ensure clients and backends support TLS 1.2+ before August 31, or connections will be blocked. You can upgrade WAF V1 to V2 anytime; the critical point is ensuring TLS compliance to maintain connectivity. Use Microsoft’s migration tools and documentation to plan and execute the upgrade with minimal disruption.
I hope this helps you resolve the issue. If you have any further quires, I am happy to assist
Thank you.
Pranitha